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Abstract. Suppose X is the complex zero set of a finite collection of polyno- 
mials in Z[xi, ...,Xn]- We show that deciding whether X contains a point all of 
whose coordinates are d— roots of unity can be done within NP'^^ (relative 
to the sparse encoding) , under a plausible assumption on primes in arithmetic 
progression. In particular, our hypothesis can still hold even under certain fail- 
ures of the Generalized Riemann Hypothesis, such as the presence of Siegel- 
Landau zeroes. Furthermore, we give a similar unconditional complexity 
upper bound for n = l. Finally, letting T be any algebraic subgroup of (C*)" 
we show that deciding X i T is coNP-complete (relative to an even more 
efficient encoding), unconditionally. We thus obtain new non-trivial families 
of multivariate polynomial systems where deciding the existence of complex 
roots can be done unconditionally in the polynomial hierarchy — a family 

of complexity classes lying between PSPACE and P, intimately connected 

? 

with the P = NP Problem. We also discuss a connection to Laurent's solution 
of Chabauty's Conjecture from arithmetic geometry. 



1. Introduction 

While the algorithmic complexity of many fundamental problems in algebraic 
geometry remains unknown, important recent advances have revealed that alge- 
braic geometry and algorithmic complexity are closely and subtly intertwined. For 
instance, consider the problem of deciding whether a complex algebraic set — spec- 
ified as the zero set of a collection of multivariate polynomials — is empty or not. 
This is the complex feasibility problem, FEASc, and we denote its restriction to 
any family J- of polynomial systems by FEASc (^). 

Note: The complexity classes we are about to mention are reviewed briefly in 
Section [3] (see |Pap95| for an excellent introductory account). 
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Before seminal work of Pascal Koiran |Koi96| . the only connection known 
between FEASc and the P = NP problem was that FEASc is NP-hard, i.e., a poly- 
nomial time algorithm for FEASc would imply P = NP. (The P = NP problem is 
the most famous open problem from theoretical computer science and has a vast 
literature (see, e.g., [SmaOOj and the references in GJ79i |Pap95| ).) However, 
NP-hardness tells us little about what complexity class FEASc actually belongs 
to, or how quickly we can anticipate solving a given instance of FEASc- Koiran's 
paper [Koi96j was the first to show that the truth of the Generalized Riemann 
Hypothesis (GRH) yields the implication FEASc ^P =^ P^^NP, and |Roj03 
later showed that this implication could still hold even under certain failures of 
GRH. Furthermore, the underlying algorithms are entirely different from the usual 
techniques of commutative algebra (e.g., Grobner bases and resultants) and thus 
breathe new life into an old problem. 

Here we present algorithms revealing new non-trivial families T of multivariate 
polynomial systems where the implication FEASc (•^) ^ P =^ P 7^ NP holds un- 
conditionally. We also present several examples indicating that the algorithms 
yielding our main results may be quite practical. In the coming sections, we will 
detail some of the intricacies behind making such algorithms free from unproved 
number-theoretic hypotheses. We begin by stating a number-theoretic hypothesis 
that is demonstrably weaker than GRH. We use N for the positive integers. 

Arithmetic Progression Hypothesis (APH). There is an absolute 
constant C > 1 such that for any x, M e N with X > 2'°s *^ the set 
{1 + kM I fce{l, . . . ,a;}} contains at least i^gC^f^^j^^i primes. 

Assumptions even stronger than APH are routinely used, and widely believed, 
in the cryptology and algorithmic number theory communities (see, e.g., IMil76|i 
IMih94L IKoi97L |Roj0lH Hal05]). In particular, while APH is imphcd by GRH for 
the number fields {Q(wm)}mgN: where cuj^j denotes a primitive M— root of unity, 
APH can still hold under certain failures of the latter hypotheses, e.g., the presence 
of infinitely many zeroes off the critical line |Roj03| . 

Theorem 1.1. Suppose fi,...,fk € ^[xi, . . . ,Xn], x := (zi, . . . , a;„), and 
di, . . . , c?„ G N. Let TorsionPoint denote the following problem: Decide whether 
the system of equations 

fi{x)^---=fk{x)^x'i' -!=■■■ =xt -l^Q 
has a solution in C". Also let the input size of the preceding polynomial sys- 
tem be (l]i=i + Z]r=i si26(a;''' - 1), where size (5^™ ^ qx^'I • • • a;^*") := 

'Y^^=\ log{(|ci| +2)(aii -t-2) • • • (ai„-|-2)}, and let TorsionPointi denote the restric- 
tion o/ TorsionPoint to univariate polynomials. Then 

(1) TorsionPoint G AM, assuming APH. 

(2) Unconditionally, TorsionPointi G NP'^^ and TorsionPointi is already 
NP-hard. 

(3) When restricted to fixed n and di, . . . , d„, TorsionPoint G P uncondi- 
tionally. 

In particular, TorsionPointi ^P "=^=^ Pt^NP unconditionally. 

Our notion of input size is quite natural: To put it roughly, size(/) measures the 
amount of ink (or memory) one must use to record the monomial term expansion 
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of /. Note that the degree of a polynomial can be exponential in its input size if 
the polynomial is sparse, e.g., size(llz — 2x'tf z + x^) = Q{\ogD). (We employ the 
usual computer science notations O(-) and to respectively denote upper and 
lower bounds that are asymptotically true up to a multiplicative constant. When 
both conditions hold, then one writes 6(-)-) Thus, in the miraculous event that 
P = NP, our algorithm yielding Assertion (2) above has complexity polynomial 
in the bit-sizes of the fi and the logarithms of the di — a property not present 
in any earlier algorithm for TorsionPointi. 

Alternatively, Theorem 11.11 tells us that we can try to prove P ^ NP by show- 
ing that TorsionPointi ^ P, thus giving another opportunity for algebraic ge- 
ometry tools for the P = NP problem (see also [MSOl] for a different approach 
via geometric invariant theory). Indeed, should one eventually prove uncondi- 
tionally that TorsionPoint lies in the polynomial hierarchy then it would be 
more profitable to proceed with an attempt to prove TorsionPoint ^ P rather 
than TorsionPointi ^ P (since TorsionPoint is at least as hard a problem as 
TorsionPointi). 

Example 1.2 (A Sparse, but Large, Resultant). Suppose we would like to know 
if f{xi) :— Ci+C2Xi^ +■ ■ • + c„i_ia:^i'"^^ +Cmx'[' vanishes at some M— root of unity, 
where m = G(log^M), the Ci are integers of absolute value bounded above by 10, 
and a2 < ■ ■ ■ < flm-i < D < M are positive integers. The classical resultant for two 
polynomials in one variable (see, e.g., [GKZ94] ) then tells us that f vanishes at 
an M— root of unity iff the determinant of a highly structured {D + M) x {D + M) 
matrix vanishes. Such a matrix is a special case of what is known as a quasi- 
Toeplitz matrix. 

The best general algorithms for evaluating such determinants yields a random- 
ized bit complexity upper bound of 0{{D -\- MY\og\D -f M)), for some absolute 
constant ri>0 [EP05| . (Grobner bases, being far more general than what we need, 
yield a deterministic complexity upper bound no better than [D -f M)'^^^^ bit op- 
erations (see, e.g., |Lak91j ). ) More directly, one could also compute the gcd of f 
and x^^ — 1, but this still leads to a deterministic bit complexity upper bound no 
better than 0(DM) (see, e.g., |BPR06[ Ch. 8]/ Solving even this special case of 
TorsionPointi within 0{{D -\- MY) bit operations for some e€ (0, 1) is thus still 
an open problem, o 

While the NP-hardness of TorsionPointi was derived earlier by David A. 
Plaisted |Pla84j in a different context, our complexity upper bounds are new: the 
best previous upper bounds were PSPACE |Can88| (unconditionally), P^^ 
[Roj03| , or AM [Koi96j (under successively stronger unproved number-theoretic 
hypotheses, all stronger than APH), following from much more general results. It is 
also interesting to note that TorsionPointi is the same as detecting the vanishing 
of so-called cyclic resultants, which arise in dynamical systems and knot theory 
|Hil05| . 

Let us now motivate and clarify our use of the term "torsion point" by showing 
how our results can also be viewed in the context of Lang's Conjecture from 
Diophantine geometry (see, e.g., [Lan97( Conj. 6.3, pp. 37-38]). 

Notation. Throughout this paper, we will let x°' := Xi^ ■ ■ ■ x"" and m ■ x := 
{mixi, . . . ,mnXn), where it is understood that a = (ai,...,an) G Z", 
m—{mi, . . . , ran) € (C*)", and x= {xi, . . . , Xn) G (C*)". Also, given di, . . . , dr&1>"' , 
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we let T(di, . . . ,dr) denote the subgroup of xe{C*)^ satisfying x"^^ — ■■■ =x'^^ = l. 
We call any point of (C*)" with each coordinate a root of unity a torsion point. 
Finally, for any gi, . . . , gk G Z[xi, . . . , Xn], Z{gi, . . . , g^) denotes the zero set of 
gi,...,gk in C". o 

The subgroup T(^di, . . . ,dr) is sometimes known in algebraic geometry as a 
subtorusQ and the set m ■ r(di, . . . , dr) is usually called a translated subtorus. 
The distribution of torsion points and subtori on algebraic sets happens to be quite 
special: a given algebraic set will have all its torsion points contained in a subset 
that is a finite union of subtori, each translated by a torsion point. This follows 
from a famous result of Laurent [ Lau84| which was conjectured earlier by Chabauty 
[Cha38j . Explicit bounds on how many torsion points can lie in an algebraic set 
have been given by Ruppert in certain cases |Rup93| , and Bombieri and Zannieri 
in far greater generality [BZ95j . 

Given these deep results, one may suspect that FEASc(^) can be sped up when 
the underlying family !F is restricted to problems involving torsions points. Our 
two main theorems show that this is indeed the case. In particular. Theorem 11.31 
below complements Theorem 11.11 by examining when an algebraic set contains an 
entire subgroup worth of torsion points, as opposed to a single torsion point. Please 
note that Theorem 1 1 . 31 does not depend on any unproved hypotheses. 

Theorem 1.3. Following the notation above, for any £i, . . . , £fe € N, di, . . . ,drG 
Z" and fij S Z[xi,...,Xn] with ranging over Ui=i{(*i l)i ^0}; 

HasTorus denote the problem of deciding whether 

T{d,, . . . , dr) C -Li /l,„ . . . , U%1 fk,) ■ 

Then, measuring the underlying input size instead as 

(^E size (di)^ + 2*-^! size(/,j), 

we have: 

(1) HasTorus G coNP, and the restriction of HasTorus to n ^ I is already 
coNP -hard. 

(2) For fixed n, £i, . . . ,£k, and di, . . . , dr, we have HasTorus G P. 
In particular, HasTorus <f=^ P^NP. 

Assertions (1) and (2) of Theorem ll.31 in the special case n=l, were derived earlier 
respectively in |Pla84j and Theorem 2 of the first ArXiV version of BRS07 , but 
with no reference to tori. Note in particular that our first notion of size for 11^=1 9j 
can be exponential in X]j=i size((7j) (e.g., take gj .^xj — 1 for all j), so Theorem 
11.31 uses a much more compact notion of input size than Theorem 11.11 

Theorems 11.11 and 11.31 can thus be viewed as first steps toward an algorithmic 
counterpart to Laurent's Theorem. In particular, having derived nearly tight lower 
and upper complexity bounds, our results allow us to efficiently detect the presence 
of subtori. Determining the actual exceptional locus — i.e., the precise finite 
union of translated subtori containing all the torsion points in a given algebraic set 
— remains an open problem. 

Laurent's Theorem has since been extended to algebraic groups more general 
than (C*)" — semi-Abelian varieties — by McQuillan |McQ95| , thus solving the 
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aforementioned Lang Conjecture [Lan97| Conj. 6.3, pg. 37-38]. For instance, a very 
special case of McQuillan's more general result is the Faltings-Mordell Theorem. A 
very special case of the latter result is the fact that an algebraic curve of genus > 2, 
say, defined as the zero set of a bivariate polynomial with rational coefficients, has 
at most finitely many rational points. 

The existence of algorithmic counterparts to these more general results is thus 
a tantalizing possibility. An implementable algorithm for finding torsion points 
on Jacobians of algebraic curves of genus > 2 has already been detailed by Bjorn 
Pooncn [PooOl , and the complexity appears (but has not yet been proved) to 
be polynomial-time for fixed genus |Poo05j . Such a complexity bound, if proved 
for the sparse encoding, would form an intriguing analogue to the polynomiality of 
TorsionPoint for fixed n and di, . . . , d„. 

In closing this introduction, let us point out that our improved complexity 
bounds appear to hinge on the highly refined structure of the Galois groups un- 
derlying our equations: cyclic. In particular, whereas complex feasibility for an 
input system F is (conjecturally) solvable by checking the density of primes p for 
which the mod p reduction of F has a root mod p |Koi96j . our algorithms instead 
use a single well-chosen p. It is therefore appropriate to formulate the following 
conjecture, based on an observation of Rachel Pries |Pri06] : 

Conjecture. Suppose T is the family of polynomial systems F such that Z{F) 
is finite and the Galois group of F over Q is dihedral or bicyclic. Then the restric- 
tion of FEASc to T lies in unconditionally. 



While the algorithm underlying the general case of Theorem 11.11 is simpler 
than that of Theorem II. 3[ the key ideas flow more clearly if we begin with the 
latter theorem. So we review some key ideas in one variable in Section [21 and then 
prove Theorem [Us] in Section [3] below. We finally prove Theorem 1 1 . 1 1 across Sections 
Uandini and briefly discuss some limits to possible improvements in Section [S] 

1.1. Comparison to Related Results. As mentioned before, our main re- 
sults improve upon Koiran's earlier algorithms for FEASc [Koi96| by relaxing, or 
removing entirely, his assumption of GRH for certain input families. Our suc- 
cess in the setting of torsion points and subtori can hopefully be extended to 
situations where the underlying Galois groups are more complicated, and mem- 
bership in the polynomial hierarchy was possible only under stronger assumptions 
jKoi96|.[R"oj03| . We also point out that the work of David Alan Plaisted |Pla84] 



- which focussed on polynomials in one variable — was a central inspiration behind 
this paper. Our results extend |Pla84) to multivariate polynomials and subtori, 
and suggest the broader context of computational arithmetic geometry [RojOl] . 

One should also remember earlier work of Grigoriev, Karpinski, and Odlyzko 
|GK096] . where it was shown that one can decide if one sparse univariate poly- 
nomial divides another, within coNP, assuming GRH. Our Theorem 11.31 can be 
viewed as an unconditional extension of their result to certain multivariate binomial 
ideals. Needless to say, the results of IKoi96|, |Roj03| contain those of [GK096] 
as special cases, but the more general results still depend on unproved number- 
theoretic hypotheses. 

Finally, we point out that as this paper was being completed, the author found 
the paper }FS04j during a MathSciNet search. In this paper, the authors present a 
polynomial-time algorithm (found by their referee [FS04| Thm. 3 and Algor. A, 
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pp. 959-962; Acknowledgements]) for deciding whether a sparse univariate polyno- 
mial of degree D is divisible by the d— cyclotomic polynomial for an input integer d 
whose factorization is known. (David A. Plaisted claimed such a result 20 years 
before [FS04j . but without a proof |Pla84l Top of page 132].) As a consequence, 
they prove that for a fixed number of monomial terms, one can restrict to d 
with prime factors bounded above by a constant, and thus one obtains a bona fide 
polynomial time algorithm since such integers can be factored in polynomial time. 
An analogous speed-up for the restriction of TorsionPointi to a fixed number of 
monomial terms appears to remain unknown. 

The techniques of [FS04| are quite similar to those of |Pla84| . with two ex- 
ceptions: (1) [FS04j makes no use of certificates in finite fields and (2) [FS04] 
makes clever use of a result of Conway and Jones [CJ76| stating in essence that 
polynomials vanishing at a primitive d— root of unity can not be "too sparse" as a 
function of d. 

Our techniques complement the results of |FS04j by showing that their main 
problem lies in the polynomial hierarchy unconditionally, even when the number of 
monomial terms varies and the factorization of d is unknown. This follows directly 
from our proof of Theorem ll.31 which also extends their context to subtori in higher 
dimensions. 

2. Roots of Unity, Primes, and Illustrative Examples 

Definition 2.1. For any ring R we will let R* denote the group of multiplica- 
tively invertible elements of R. Also, a primitive M— root of unity is a complex 
number useC such that u;^' = 1 and [ui'^''' = 1 =4> M\M']. The cyclotomic 
polynomial, $m G ^[a^i], is then the minimal polynomial for the primitive M— 
roots of unity, o 



Example 2.2. Specializing Example \1.2\ from the Introduction, note that the 
following assertions are equivalent: (1) f vanishes at an M— root of unity, (2) 
f vanishes at a primitive d— root of unity for some d\M , (3) '^d{xi)\f{xi) for 
some d\M . For the sake of illustration, let us assume 91|M and take (i=91. Since 
xf^ — i = Y[d\M ^d.{xi) for all M (see, e.g., |BS96| Ch. it is then easy to see 
that f vanishes at a primitive 91— root of unity <^=4> [x^ — \ )\f{xi){x\^ — l){x\ — l). 
The latter condition is in turn equivalent to the truth of 
N {xf^-l)\f{xl){xf^~l){xl--l) 
for all ceN. o 

Our main algorithmic tricks — when specialized to the example above — are (a) 
reducing the last check over all c£ N to a single well chosen c and (b) working over a 
finite field instead of Z[xi]. In particular, assuming 91c-|-l is prime, it follows easily 
fromFermat's Little Theorem that (★) => f{xl){xf''-l){xl''-\) = {) mod 91c+l 
for all xi E (Z/ (91c-f 1)Z)*. The multivariate lemma below will later help us derive 
that the converse holds as well, provided c is large enough. 

Lemma 2.3. For any polynomials g,gi,...,gk € Z[a;i, . . . , x„] (expressed as 
sums of monomial terms), let \\g\\i denote the sum of the absolute values of the 



coefficients of g, and let di :— deg^.. g for all i. Then 

Also, if q is a prime satisfying q> \\g\\i, 1 + ma,Xi{di}; and g(x) = mod q for all 
a;£ ((Z/^/Z)*)", then g is identically 0. 
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Remark 2.4. One should recall Schwartz's Lemma |Sch80j . which asserts 
that for any field K , and any finite subset S C K , a polynomial g € K[xi, . . . , Xn] 
that is not identically zero vanishes at < {di + - ■ ■+dn)4kS"'~^ points of S" . Applying 
this result would, however, yield a weaker version of the second part of our lemma 
by requiring a larger q (q> di ). Nevertheless, the proof below is quite reminiscent 
of the proof of Schwartz 's Lemma, o 

Proof of Lemma I2.3t Writing gj{x)= ^ cj^ax"" for all j, observe that 

a£Aj 



n 



9j 



HE 

j=l a£Aj 



E 



a— aiH hofc 

a j €:Aj for all j 



E 



n 



■'j.a'- 



(a;,...,a;,)G(Ai,...,A;,) 
fliH hflfc— a 



< 



E 



E 



n 



< 



'^=°,i+---+^,''.(i'i,...,a'j6(Ai,...,Afc)i=l 
a^eAj for all J „'^...i„'=„ 



n E 

j=l ajeAj 



So the first portion is proved. 

We now proceed by induction on n: If ri = 1 then g{xi) = mod q for all 
Xi £ (Z/qZ)* =4> Co = ■ ■ • =Cdi=0 mod q, since q — 1> di and a (not identically 
zero) polynomial of degree < di can have at most di roots in (Z/gZ)*. Since 
Q> ||^||i>maxi \ci\, we thus have cq— ■ ■ ■ ^c^-^ —0, and our base case is complete. 

To conclude, assume that the second portion of our lemma holds for some fixed 
n>l. Let us then temporarily consider 5 as a polynomial in x„+i with coefficients 
in Z[xi, . . . , Xn]. Let Ci(xi, . . . , a;„) denote the coefficient of xl^j^i- Fixing any 
values for xi, . . . ,a;„, observe that just as in the last paragraph, g can vanish at 
no more than dn+i values of Xn+i € (Z/qZ)*. Since q — 1> dn+i we then obtain 
Co{xi, . . . ,.x„) = • • • EE Cd„^-,{xi, ... ,Xn) = uiod q for all xi,. . . ,Xn € (Z/qZ)*. 
Since ||ci(a;i, . . . ,a;„)||i < ||^||i for all i, and since the q have exponents no larger 
than q — 2, our induction hypothesis then implies that cq, . • . , Cd„^i are identically 
0, and thus g is indeed identically 0. H 

That we can pick a small c with cM 
theorem of Linnik. 



1 prime is guaranteed by a classic 



Linnik' S Theorem. The least prime of the form cM + b, where M and b are 
relatively prime integers and 1 < b < M , does not exceed for some absolute 

constant Cq. H 

The best current unconditional estimate for Cq is Co < 5.5, assuming M is suffi- 
ciently large [HB92j . It is also known that the truth of GRH implies that we can 
take Co = 2 + e for any e > 0, but of course valid only for M > Mq, with Mq an 
increasing function of i [BS96[ Thm. 8.5.8, pg. 223]. 



Example 2.5 (A Number-Theoretic Speed- Up). Let us consider 



f(xi) := X 



- 249255 o 248928 , . 234655 
- OX^ — 6X^ + 4x^ 



+4x;^««8« - 5a;;«"" + Sxl'^'^^'^ + 2: 



+3x1''^^''^ 

_4^142969 
r- 88198 



34655 c- 221135 , „ 213883 210952 
— OX ^X — X 



, ^180273 

. 170662 „ 168177 164270 . - 157315 . „ 154380 

— 413^-1^ ~\~ oX ~t~ X ~\- OX -p ^X 

^ 139399 , o 127018 "~ 



-1- 3a;;^««5^ 



. _ 147177 „ 144498 

'-tj^ ~p tj j> ^jiy-^ ~r~ ox — ^x 

„ 139399 „ 127018 , , 103857 . 101698 , 97641 „ 91638 _ 88391 
— ZiX -j- oX ^ ~\- oX — 43^-1^ -p X -p z,X — OX 

. 86818 , r, 85759 , _ 73803 64076 „ 60689 ^ 50793 _ 24214 , . 22380 

Ax-^ + ox-y^ + ox-^ ~ ^■'^1 ~ "J^i ~ -^^1 ~ 5^1 "T" 



220 



J. MAURICE ROJAS 



which has degree 255255 and exactly 46 monomial terms, and suppose we'd like 
to verify whether f vanishes at some 510510— root of unity. To illustrate our 
approach via cyclotomic polynomials, let us first see if f vanishes at a primitive 
91— root of unity. As observed earlier, when q := 91c + 1 is prime, we have that 
(xf - l)\f{xl){x^^'' - l)(a;^^ - 1) ^ f{t''){t^^'' - - 1) = mod q for 

all t (Z/gZ)*. So Condition (-k) implies a certain congruence holds. However, 
the reduction goes the other way as well: Lemma [^751 (applied to the mod 
reduction of f{t){t^^ — l)(i'' — l)j tells us that the converse to the preceding 
implication holds, provided q is prime, q > ||/||i||2^i'^ — llliH^^i — l||i — 568, and 
g>255256. 

In particular, 2842 • 91 + 1 = 258623 is prime. So to check whether f vanishes 
at a primitive 91— root of unity, we need only check whether 

^(^2842^ (^2842.13 _ ^) (^2842-7 _ 1 Q mod 258623 for all t e (Z/258623Z)*. 

Since t = 3 yields 76177 for the product polynomial above, we thus have certification 
that f does not vanish at any primitive 91— root of unity. Similar calculations for 
small choices of c and t then suffice to show that f does not vanish at any primitive 
d— root of unity for any other d|510510 either. (Excluding the easy case d^l and 
the case (i = 91 we just did, there are exactly 126 other such cases.) Thus, we can 
at last certify that f does not vanish at any 510510— root of unity, o 

It is easily checked that the number of bit operations for the calculations of 
Example 12.51 (including the work for the additional 126 cases of d|510510) lies in 
the lower hundreds of thousands. (This is via standard mod n arithmetic (see, 
e.g., [BS96[ Ch. 5]), with no use of FFT multiplication.) More concretely, the 
finite field certificate check above took but a fraction of a secondQ On the other 
hand, computing the gcd of — 1 and the / above took 37 minutes and 38.9 

seconds. 2 We analyze the underlying asymptotic complexity in greater depth in the 
next section, where we also formalize our algorithm for HasTorus. 

3. Complexity Issues and Proving Theorem II. 3t Detecting Subtori 

Unconditionally 

Let us recall the following informal descriptions of some famous complexity 
classes. A completely rigourous and detailed description of the classes below can 
be found in the excellent reference |Pap95| . Our underlying computational model is 
the classical Turing model. For concreteness, it is not unrealistic to simply imagine 
that we are working with a laptop computer, equipped with infinite memory, flaw- 
less hardware, and a flawless operating system: classical theorems from complexity 
theory allow one to define the complexity classes below in a machine-independent 
manner. (We omit these more formal definitions for brevity). In particular, we 
can identify "time" or "work" with how long our laptop computer takes to solve a 
given problem, and "input size" can simply be identified with the number of bytes 
in some corresponding input file. 



Using the computer algebra system Maple 9.5, on diana, the author's 4Gb dual- Athlon 2 
Ghz Fedora Core 4 Linux system. 
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P The family of decision problems which can be done within time polynomial 
in the input sizeH 

BPP The family of decision problems admitting randomized algorithms that 
terminate in polynomial-time to give an answer which is correct with 
probability at leaslQ |. 
NP The family of decision problems where a ' ' Yes ' ' answer can be verified 
within time polynomial in the input size. 
coNP The family of decision problems where a ' ' No ' ' answer can be verified 
within time polynomial in the input size. 
AM The family of decision problems solvable by a BPP algorithm which has 
been augmented with exactly one use of an oracle in NP. 
jyjpNP r^YiQ family of decision problems where a ' 'Yes' ' answer can be certified 

by using an NP-oracle a number of times polynomial in the input size. 
pNP rpj^g family of decision problems solvable within time polynomial in the 
input size, with as many calls to an NP'^^ oracle as allowed by the time 
bound. 

PSPACE The family of decision problems solvable within time polynomial in the 
input size, provided a number of processors exponential in the input size 
is allowed. 

EXPTIME The family of decision problems solvable within time exponential in the 
input size. 

The inclusions 

P C BPP U NP C AM C coNP^^ C pNP'^^ 

and 

P C NP C NP^P C pNP^ ^ c PSPACE C EXPTIME, 

are fundamental in complexity theory [Pap 9 5 , IBM88] . and the properness of 



every explicitly stated inclusion above turns out to be a major open problem (as 
of late 2007). For instance, while we know that P C EXPTIME, the inclusion 
P C PSPACE is not even known to be proper. The first 6 complexity classes in 
the list above lie in a family known as the polynomial hierarchy. It is known 
that P = NP implies that the polynomial hierarchy collapses, which in particular 
yields the equahties P = NP = coNP = AM = NP'^^ = pNP-^^ |Pap95[ Thm. 
17.9]. This standard fact will be used later. 

The structure of our main algorithms depends on a useful number-theoretic 
lemma stated below. In what follows, denotes the i— standard basis vector of 
whatever finite-dimensional module we are working in. 

Definition 3.1. For any gCzl^lxi, . . . ,Xn], letg&'L[xi,...,Xn] denote the poly- 
nomial obtained by reducing all exponent vectors in the monomial term expansion 
of g modulo the additive subgroup {dici . . . , drCr) ofl^ and collecting terms, o 

Note that computing g is nothing more than repeatedly applying the substitu- 
tion .T^' = 1 (for all monomial terms and i G {1, . . . , r}), and simplifying, until one 



Note that the underlying polynomial depends only on the problem in question (e.g., ma- 
trix inversion, shortest path finding, primality detection) and not the particular instance of the 
problem. 

^It is easily shown that we can replace ^ by any constant strictly greater than i and still 
obtain the same family of problems. 
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obtains a polynomial with degree < di with respect to Xi for alH £ {1, . . . , r}. Note 
also that any coefRcient of g is a sum of coefficients of g. 

Proposition 3.2. For any g^gi, . . . ,gi£ Z[a;i, . . . , Xn], let ruj denote the num- 
ber of monomial terms of gj for all j. Then \\g\\i < \\g\\i, and the monomial term 

expansion of 0^=1 9j '^'^'^ computed within 
O 

hit operations. 

Proof: The first portion follows directly from the definition of || • ||i and g. 

To prove the second portion, note that computing tjj consists simply of reducing 
the coordinates of the exponent vectors modulo integers of size no larger than 
maxijlogdi}, and then summing up coefficients of monomial terms. So via basic 
fast finite field arithmetic (e.g., |BS96[ Table 3.1, Pg. 43]), this can be done within 

0\ max {size((?j), log(di)} logmax {size(gj), log(di)} ] bit operations. 




< 

1 



n 1 7 



Next, note that to compute Hj^iffi' can use the recurrence Gi := gi, 
Gj+i =Gjgj+i, and stop at Gi. Defining Hj to be the maximum bit-length of any 
coefficient of gj , the number of bit operations to compute G2 is then easily seen to be 
0*(min{mirn2, n[=i '^i} ('^1 + + X]i=i log^O)- (The 0*{-) notation indicates 
that additional factors polynomial in logKj and log log are omitted.) This bound 
is obtained by first computing 51^2 by simply multiplying all monomials of gi with 
all monomials of gi (using fast arithmetic along the way), collecting terms, and 
then reducing the exponents as in the definition of (•). Continuing inductively, our 

complexity bound follows directly, keeping in mind that 

n-=iii5.iii<n-=iii.9.iii- ■ 

Lemma 3.3. Following the notation above, suppose 5 G Z[ 
di,...,dr e N, D := 2 + max{maxig{i^...^r}{di},maxig{r+i,...,„}{deg^^5}}, 

M := ™'icm[{d^'}^"^ lcmi{(ii}, and assume c is a positive integer such that 
q:=cM + 1 is prime. Then 

T{d,e,, drcr) C Z{g) /^(^i''^'' ' ' ' ' ' . . . , t„) ^ mod g 

[for allti,...,tne{Z/qZ)*. 

Proof: Let J denote the ideal (x^^ — 1, . . . , xf'' — 1) C Q[xi, . . . , Xn]. Observe 
that the primary decomposition of J is clearly f] {xi — Ci, . . . , — Cr), 

and each ideal in the preceding intersection is prime. J is thus a radical ideal in 
Q[xi , . . . ,Xr]. Now let / := JnQfxi , . . . , x„] . Before proving our desired equivalence 
we will need the fact that the ideal / of Q[xi, . . . , Xn] is radical as well. So let us 
conclude this necessary digression as follows: 

Suppose e / for some / G Q[xi, . . . ,x„] and k > 1. Since J is radical and 
J ^I, we then clearly obtain the existence oi f i, fr GQ[xi, ... , Xn] with 

f{x) = {xi- - l)f,{x) + • • • + {xi^ - l)fr{x). 

Letting G denote the Galois group of the coefhcients of the fi over Q, let us define 
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fi '■— ^S(tgg^(/') ^'^^ i e {!,..., r}. Observe then that f{x) also equals 
J2l=ii^i^ — and thus hes in / as well by Galois invariance. So / is radical. 

Returning to our main proof, we now see that: 

(A) T(diei, . . . , drBr) C Z{g) g&I, and 

(B) {x"" I a g {0, . . . , di — 1} X • • • X {0, . . . , c?r — 1}} is a Q-vector space basis for 

Q_[xu...,Xr]II. 

In particular, T{diei, . . . , drCr) Q Z(g) iff g is identically zero. So it sufRces to prove 
that g is identically zero <;=4> g(tl'^^'^^ , . . . , i^*^^'*'^, ir +i, . . . , tn^ = mod q for 
alHi, . . . , i„ e (Z/qZy. Let /^m (^rf ' - 1, • • • , - !)• 

(^=5>-): By (B), g identically zero g'El, and thus g{x'{^^^'^^ , • • ■ , Xr^^^'^'', x^+i, . . . , a;„ 
/cAf- Since g :=cM+ 1 is prime, Fermat's Little Theorem implies f^^^ — 1 = mod q 
for aU tG{l, . . . ,cM}, so 

^^^cM/di^ . . . , tr^^^^'' ,tr+i, . . . , t„) = mod q, for alHi, . . . , i„ e (Z/qZ)*. 
(Remember that we have defined M so that di\M for alH G {1, . . . , r}.) 
(-4=): By (B), g — g£l for any g&Z[xi, . . . ,Xn]- So we must then have 

/ cM/di cM/dr \ -f cM/di cM j d^ \cJ 

We therefore obtain that g , . . . , tr^^^'^'' , ^r+i, • ■ • , mod q for alHi, . . . , i„ G 

(Z/qZ)* =4> ^l^tj*^'''^^ . . . , ir*^^'''', ^r+i, ■ • • , = mod q for all ii,...,t„ G 
(Z/gZ)*, via another application of Fermat's Little Theorem. 
Now note that H^H-^ < ||,g|| <M<q and 

deg^. g{x\^'^'^\. . . ,Xr^^^''"',Xr+i, ■ ■ . ,x„^ <{cM/di){di -l)<cM = q-l 

for all i G {1, . . . , r}. Furthermore, deg^,. g = deg^. g < D — 2< M < q — 1 for all 
iG {r + 1, . . . , n}. So Lemma 12.31 immediatelv implies that g is identically 0. I 

We now state our first main algorithm. 

Algorithm 3.4 (For problem HasTorus, with simplified subtori, uncondition- 
ally). 

Input: Polynomials fijGZ[xi, . . . , a;„] with (*, i) G Ui=i{(*' 1)) • ■ • ; ih^i)}, positive 
integers di, . . . , dr, and a suitable value for the constant Cq from Linnik's Theorem. 
Output: A true declaration of whether 

^(n-Li h,, ■ ■ • ,n-ii fk.,)^z{xt^ -i,...,xt^- 1). 

Description: 

(0) Replace each fij by fi_j (following the notation above). 

(1) Let 7V:=maXj jn^Li Af := Xm.fda^ lcm.i{d.i} , where D is 

2+max|niaXjg{i^...^r}{c?i},max(ij)g{i^...^fe}x{r+i,...,n} deg^^ 

(2) Nondeterministically, decide whether there is a c eN with c < M^" and 
q := cM + 1 prime, a t — {ti, . . . , tn) G ((Z/gZ)*)", and ar* i G {1, . . . , k}, 
such that 

ip,) n h,lfi"''\ • • ■ , if Wi, . . . , t„) ^ mod q. 

(3) // the desired {c,t,i) from Step 2 exists then stop and output ' 'NO' 
Otherwise, stop and output ' ' YES ' ' . o 
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The adverb "nondeterministically" can be interpreted in two ways: the simplest is 
to just ignore the word and employ brute-force search. This leads to an algorithm 
which is dramatically simpler and easier to implement than resultants or Grobner 
bases. All of our examples were handled this simple way, and the respective timings 
were already competitive with the latter techniques (cf. ExamDles ll.2[ [2T2l 12. 5[ and 
EH). 

Alternatively, one can observe that Step 2 is equivalent to deciding the truth of a 
quantified Boolean sentence of the form Vj/i • • • \fyuB{yi, . . . ,y^), with B{yi, . . . ,y^) 
computable in time polynomial in the size of our initial input. This is clarified in 
our proof of Theorem 11.31 below . 

Before starting our proof, we will need a lemma on integral matrices to quantify 
certain monomial changes of variables. 

Definition 3.5. Let Z™^" denote the set of m x n matrices with all entries 
integral, and let GLm(Z) denote the set of all matrices in Z™^"* with determinant 
±1 (the set of unimodular matrices). Recall that any m x n matrix [uij] with 
Uij — for all i > j is called upper triangular. Then, given any M g Z™^", 
we call an identity of the form UM — H , with H = [hij] G Z"^" upper triangular 
and U €GLm(Z), a Hermite factorization of M. Also, if we have the following 
conditions in addition: 

(1) hij >0 for all i, j . 

(2) for all i, if j is the smallest j' such that hij' ^0 then hij >hitj for all i' <i. 
then we call H the Hermite normal form of M . o 

A Smith factorization is a more refined factorization of the form UMV — S 
with U G G-L„i(Z), V G GL„(Z), and S diagonal. In particular, if S' = [si^i] and 
we require additionally that Si^i > and Si^i|si+i^i+i for all i G {1, . . . , min{m, n}} 
(setting Smin{m.n}+i.inin{m,n}+i -=0); then such a factorization for M is unique and 
is called the Smith factorization. 

Lemma 3.6. |Ili89l ISto98| For any A = [a^ ] G Z"""", the Hermite and Smith 
factorizations of A can be computed within 0(71'* log'^(rt max^j- ja^j |)) bit opera- 
tions. Furthermore, the entries of all matrices in these factorizations have bit size 
0(n'^ log^(2n + maxi.j |ay I)). ■ 

Proof of Theorem [m) Define X:=z(l\'^l^ /ij , . . . ,11^=1 fk,j) and let us first 

reduce to the special case where di = diCi for all i: Let M be the matrix whose 
columns are di, . . . ,dr and define x^^ := {x'^'^ , . . • , x'^''). An elementary calculation 
then reveals that if we have the Smith factorization UMV = S =: [si,j] (with S 
having exactly t nonzero entries), then x^ = 1 <^=J> (^i^'^, . . . , Zj*'*) = (!,..., 1), 
upon setting x:—z^. Via Lemma [3.61 we see that this change of variables can be 
found within P and the increase in our input size is polynomial in 0(size(di) + 
• • • + size(d„)). So let us assume henceforth that di = SiCi (and let di = Si) for all 
iG{l, . . . ,t} and set r = t. 

The equivalence of HasTorus ^ P and P ^ NP follows immediately from our 
earlier remarks on the polynomial hierarchy |Pap95[ Thm. 17.9], assuming we 
indeed have HasTorus G coNP. So let us proceed with proving Assertions (1) and 
(2). 

Assertion (1): The coNP-hardness of the n = 1 restriction of HasTorus — stated 
equivalently as a problem involving sparse polynomial division — is essentially 
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[Pla84[ Thm. 4.1]. So we need only show that HasTorusG coNP for general n and, 
thanks to our preceding reductions, this can be done by proving that Algorithm l3.4l 
is correct and runs within coNP. 

Correctness follows immediately from Lemma 13.31 applied to the polynomials 
from(9i),...,(9fc). 

To analyze the complexity of Algorithm 13.41 first note that Steps and 1 can 
clearly be done in polynomial time and Step 3 takes essentially constant time. So 
it suffices to focus on the complexity of Step 2. 

Let us then observe that for any ii,...,i„ g Z/gZ, we can verify (Pi) in 
polynomial-time: By basic finite field arithmetic (see, e.g., [BS96[ Ch. 5]), we 
can clearly decide within P whether any fij vanishes at a given point in (Z/gZ)" 
using a number of bit operations polynomial in size(g) log q, and we then simply 
multiply the appropriate fi j. In total, checking (^i), . . . , (^fc) at any given point 
in [Z/qZiy^ requires a number of bit operations at worst k times a polynomial in 



log(9) 



J2 size(dj)^ + X;*Li EjLi size(/jj) 



Now observe that size((;) = 0(log Af) = 0(log(A^) + log(£>) + J2l=i logdi); which is 
clearly linear in our input size. Note also that the integer N from Algorithm 13.41 
(which by definition is no larger than M) is clearly an upper bound on the 1-norms 
of the polynomials from ('v'l), . . ., (^fc)- ^^^y instance of inequality (<^i) can 
clearly be checked in P. 

Now note that verifying q — cM + 1 is indeed prime can be done in time polyno- 
mial in logg (which is in turn polynomial in our input size): One can either use the 
succinct primality certificates of Pratt [Pra75], or the deterministic polynomial- 
time primality testing algorithm from AKS04j . So Step 2 is nothing more than 
verifying the truth of the following quantified sentence: 

3c3ti ■ ■ ■ 3tn3i [{cM + 1 prime) A {c<M^°) A (Pi)] . 
X contains the subtorus T{diei, . . . ,drer) iff the preceding sentence is false. So 
via our preceding observations, the truth of the sentence being quantified can be 
verified in P, and our algorithm thus runs in coNP. 



Assertion (2): Suppose n, £i, . . . ,£k, di, . . . ,dn are fixed. Then, by Proposition 
13.21 (with £ constant), we can decide HasTorus in P simply by reducing the ex- 
ponents modulo suitable integers and doing a brute-force check of the congruence 
condition given by Lemma 13.31 I 



Example 3.7. While it is tempting to propose a variant of Algorithm \3.4\ to 
detect translated subtori, here is an example showing that at least one naive ex- 
tension breaks down quickly: Suppose q — kd + 1 is prime (we can take k>2 and 
arbitrary large by Linnik's Theorem), g{x) :— ^x'^'^ — 1 with 7 = 2"^ mod q and 
7£ {l,...,g — 1}; and we want to see if g vanishes at half of every d— root of 
unity. Since this happens iff g{x/2) vanishes at every d— root of unity, we could 
try to mimic Algorithm \3.4\ by checking whether g{t^'^~^^^'^ /2) = mod q for all 
te{Z/qZ)*. This IS indeed so, since g{t^i-^^/'^ /2) ^ -f - i^^^ - 1 = 2'' • ^ - 1 = 
mod q. However, g{Q/2) — 2(g-i)d — It^O for Q any d— root of unity, o 
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4. From Subtori to Torsion Points: Theorem 11.11 in One Variable, 

Unconditionally 

With some modifications, Algorithm l3.4l — which we used to detect subtori — 
can be used to efficiently find torsion points in the univariate case. 

Algorithm 4.1 (For TorsionPointi, unconditionally). 
Input: Polynomials /i, . . . , and a positive integer d. 

Output: A true declaration of whether Z{fi, . . . , fk) contains a point ( with C^^l. 
Description: 

(1) Using Algorithm \3.4\ nondeterministically decide whether there is a S\d 
with Z{figs, . . . Jkgs)^Z{x{ - l) where 

9s{x,):= n U''-l)- 

p a prime dividing 5 

(2) // the desired 6 from Step 1 exists then stop and output ' 'YES' ' . 
Otherwise, stop and output ' ' NO ' ' . o 

Just as in our last algorithm, the adverb "nondeterministically" can be interpreted 
in two ways: first, one can simply employ brute- force search, and this strategy is 
dramatically simpler and easier to implement than resultants or Grobner bases. All 
of our examples were handled in this simple way, and the respective timings were 
already competitive with the latter techniques (cf. Examples ll.2[ [2^ 12. 5i and l5.4p . 

Alternatively, one can observe that Step 1 is equivalent to deciding the truth 
of a quantified Boolean sentence of the form 3yi ■ ■ ■ Bj/^/Vy^'+i • • • \fy^B{yi , . . . , y^), 
with B{yi, . . . ,y^) computable in time polynomial in the size of our initial input. 
This type of sentence forms one of the definitions of the complexity class NP'^^. 

Proof of Assertion (2) of Theorem ll.lt The NP-hardness of TorsionPointi 
is already implicit in the proof of [Pla84| Thm. 5.1], so we need only show that 
TorsionPointi G NP . To do the latter, we will prove the correctness of Algo- 
rithmic] and that it indeed runs within NP'^^. 

The correctness of Algorithm 14.11 follows immediately from Step 1 and the 
correctness of Algorithm l3.4l In particular, it is clear that fi vanishes at a primitive 
S— root of unity (indeed, at all primitive 6— roots of unity) iff {xf — l)\f{xi)gs{xi). 

Recalling that we've already proved that Algorithm 13.41 runs in coNP in the 
last section, Step 1 thus consists of a single existential quantifier calling a coNP 
algorithm. In particular, verifying that a putative S satisfies S\d can clearly be done 
in P, and thus Algorithm 14. II runs in NP"^^. ■ 

Remark 4.2. One can show that the number of possible S dividing d in Step 
(1) of Algorithm is 0{d^) (for any e>Q), 0((log d)'°g(2)+^) for a fraction of 
integers approaching 1 as d — > oo (for any e>Q), and 0([ogd) on average. This 
follows easily from earlier estimates on the number of divisors of an integer (see, 
e.g., |HR17l INR831 IDN94] and the references therein). Practically speaking, this 
means that the main complexity bottleneck in Algorithm \4. l\ is the efficient detection 
of cyclotomic factors, o 

Before moving to the higher-dimensional case of TorsionPoint, let us point 
out that the product trick underlying Algorithm 14.11 does not naively extend to 
n>l. 
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Example 4.3. Since 1 + ^3 + o^l = for any primitive third root of unity uj^, 
we see that 1 + x + y vanishes at a point with coordinates third roots of unity. Can 
we derive a (polynomial-time certifiable) criterion to detect this, in the spirit of 
Lemma \2.3\ or Step 1 of Algorithm \4. 1\ ? 

As an initial attempt, one could first consider the product 
(1 + X + y)ix - l){y - 1) 
(based on mimicking the use of figg in Algorithm \4-.l\ l and see if it lies in the ideal 
{x^ — — 1). The preceding product, unfortunately, fails this criterion. 

On the other hand, the larger product 

{1 + X + y){l +X + y^){x - l)(y - 1) 
does lie in the ideal {x^ — l,y^ — 1). However, the most obvious extension of the 
latter product results in a certificate which can have exponentially many factors in 
general, o 

While the latter idea does not obviously yield an efficient higher-dimensional ex- 
tension of Algorithm 14. li it does enable one to prove the correctness of a different 
(and efficient) higher-dimensional extension of Algorithm 14. II This we now detail. 

5. Completing the Proof of Theorem 11.11 

Let us first state an important quantitative result, which follows directly from 
the effective arithmetic Nullstellensatz of Krick, Pardo, and Sombra [KPSOl] . 

Theorem 5.1. Suppose fi, . . . , fk e Z[xi, . . . , Xn], di, . . . ,dn are positive in- 
tegers, F :— [fi, . . . , fk), E :— maxfrnax^ deg /j, max^ di}, and cr{F) is one plus 
the maximum of the absolute value of the log of any coefficient of any fi. Then 
F{x) — xf^ — 1 = . . . = a;^" — 1 = has no complex roots iff there are polynomials 
gi, . . . , gk,hi, . . . ,hn<El\xi, . . . , Xn], and a positive integer a, with 

(**) gi{x)fi{x) + ■ ■ ■ + gk{x)fk{x) + hi{x){xi' - 1) + h„{x){xf- -l) = a 
identically, and 

(1) degg,,deg/ii<2n2S"+i 

(2) loga<2(n + l)3£;»+i (cr(F) + log(A: + n) + 14(n + l)£;iog(£; + 1)) ■ 

Since a has no more than 1 + log a prime factors, it is clear that the identity 
(★*) persists — with a nonzero right-hand side — even after reduction modulo 
a prime, for all but finitely many primes. This in turn easily implies that lacking 
torsion points (for fixed degree) is a property that persists as one passes from C to 
most finite fields, and the number of exceptions is no more than one plus the right- 
hand side of Inequality (2) above. The following lemma shows how possessing 
torsion points persists as one passes from C to certain special finite fields. 

Lemma 5.2. Following the notation of Theorem \ 5.U suppose fi{x) 
fk{x)=xf^ _ 1 = . . . =xf^" — 1 = has a complex root. Then the mod q reduction of 
the preceding system has a root in (Z/qZ,)"' for any q with q=l mod lcm{di , . . . , dn} 
and q prime. 

Proof: Letting F= (/i, . . . , f^), note that Z{F) has a torsion point of the specified 
type iff Z{F) contains a point C= (Ci, . . . , (n) with Q a primitive (5~ root of unity, for 
some positive integers (5i, . . . , (5„ with Si\di for all i. Note then that the polynomial 

hi{Xi, ■ . ■ , Xn) ■= Y\ /i (-^1 1 , ■ • ■ , X^ ) 

(J2....,i„) 

js coprime to i5sVsG{2,...,n} 
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must satisfy Z(hi{xi, . . . , Xn)gSi (xi) • ■ ■ gs„ {xn)) 3 T{Siei, . . . , (5„e„) for all where 
gs is the polynomial defined in Step 1 of Algorithm 14.11 

Now suppose q:=c ■ lcm{c?i, . . . , d„} + 1 is prime. Then, via the (=>) portion 
of Lemma 13.31 (which, visible from its proof, does not require any assumptions on 
the coefficient size), we must have hi^xl, . . . , x'i^)gsi (^i) ' ' ' 9Sn (^n) identically zero 
on ((Z/gZ)*)". 

Since the roots of 5(5i (2^1 ) • ■ ■ <7(5„ (a;^ ) are a proper subset of ((Z/^/Z)*)", and 
since Z/qZ has no zero divisors, we must have that for all i, some factor of hi must 
have a root in ((Z/gZ)*)". So we are done. ■ 

Our final algorithm is actually the simplest of the three algorithms of this paper. 

Algorithm 5.3 (For TorsionPoint in general, assuming APH). 
Input: Polynomials /i, . . . , fk G 1\xi, . . . , Xn], positive integers rfi, . . . , dn, and a 
suitable value for the constant C>1 from APH. 

Output: A declaration of whether Z(fi, . . . , /j.) contains a point C = (Ci, . . . , C„) 
with Ci' — 1 for all i, meaningful and correct with probability > |. 
Description: 

(1) Lei := maxjmaxi deg /i, maxi di}, M := lcm{c?i, . . . , and let a (F) 
be one plus the maximum of the log of the absolute value of any coefficient 
of any f^. 

(2) Via recursive squaring, find the smallest J, K, and L such that 
L > 1 + 2(n + l)3£:"+i (cr(i^) + log(fc + ?i) + 14(n + l)E\og{E + 1)), 
K > max{eC' , 2^°s'^ , 36^2 bg^^ M} and J> log(6) log'^ [KM) . 

(3) Pick no more than J random j S {1, . . . , K} until one either has q :—jM+l 
prime, or J such numbers that are all composite. In the latter case, stop 
and output ' ' I HAVE FAILED . PLEASE FORGIVE ME . " . 

(4) Nondeterministically, decide whether the mod q reduction of 

fi{x)= ■ ■ ■ =fkix) = xi' - 1= . . . - 1 = 

has a root in (Z/f/Z)". 

(5) If there is such a solution then stop and output ' 'YES' Otherwise, stop 
and output ' ' NO ' ' . o 

We are now ready to conclude the proof of Theorem 11.11 

Conclusion of Proof of Theorem ll.lt The equivalence of TorsionPointi ^ 
P and P ^ NP follows immediately from our earlier remarks on the polynomial 
hierarchy [Pap95[ Thm. 17.9], assuming we indeed have TorsionPointi e NP'^^. 
The latter is contained in Assertion (2), which we already proved in the last section. 
So let us proceed with proving Assertions (1) and (3). 

Proof of Assertion (1): It clearly suffices to show that Algorithm 15.31 is correct 
and runs within AM. 

Let F:— (/i, . . . , Correctness follows easily from Theorem 15.11 and Lemma 
15.21 In particular, observe that K — the size of our sample space of numbers congru- 
ent to 1 mod M — is just large enough so that APH implies {1, . . . , K} contains at 
least 6L primes. (This follows easily from the basic implication 

a; > e*-^ =^ k^^rj — V^O Notice also that if F does not vanish at any torsion 
point of interest, then the mod q reduction of F does vanish at a torsion point of 
interest for at most L primes q, thanks to Theorem l5.1l So the probability of a false 
' ' YES ' ' answer is < | . Furthermore, by a routine binomial probability estimate. 
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using the inequality 1 — t < e^' for i e (0, 1) , we obtain that the probabihty of draw- 
ing J composite integers is < ^. In other words, with probability > |, Algorithm 
gives the right answer. 
To conclude, we need only observe that the seemingly large constants never- 
theless yield low complexity. In particular, observe that the number of random bits 
necessary to do our random sampling is 0{J log K) = 0^[log'^(M) + log{L)]^^^ 

and the number of bit operations we must do is near-linear in 0{J log K) (via fast 
finite field arithmetic [BS96, Ch. 5]). It is then easily checked that logM and logL 
(and thus J) are polynomial in our input size, so our algorithm is nothing more 
than a BPP algorithm, followed by a single call to an NP-oracle. This is exactly 
the definition of an AM algorithm BM88 , so we are done. 

Proof of Assertion (3): Let us fix n and di, . . . ,dr, and recall the notation of 
Algorithm 14.11 and the proof of Lemma 15.21 As observed in the proof of Lemma 
F has a torsion point as specified iff there are positive integers (5i , . . . , (5„ with 
dj\dj for all j, such that for all i, the complex zero set of 

n Mxi,xi\. . .,X^^) I g5^{Xl) ■ --gS^iXn) 

Vis co-prime to (5sVs€:{2,...,n} 

contains T{5iei, . . . , (5„e„). By Lemma [^751 since the number of factors and possible 
n-tuples ((5i, . . . , (5„) is constant, the preceding check can be done in P. ■ 

Example 5.4. Consider the bivariate polynomial system F :— {f,g) where f 
and g are respectively 

„3879876„,4594590 , „3879876„,4339335 , _3879876„,4084080 , „3879876„,3828825 , ^2909907 4594590 , 
„3879876„ 3573570 , _2909907„ 4339335 , „3879876„ 3318315 , „2909907„ 4084080 , „3879876„ 3063060 , 

X y -\-x y -\-x y -'rx y -\-x y -\- 

„2909907„ 3828825 , „3879876„ 2807805 , „1939938„ 4594590 , „2909907„ 3573570 , „3879876„ 2552550 , 

X y -\-x y i-a; y +x y +x y -\- 

„1939938„,4339335 , „2909907 3318315 , „3879876„,2297295 , 1939938„,4084080 , „2909907 3063060 , 
Jb y ~!~ Jb y ~t~ y I Jb y ~t~ J-/ y (~ 

„3879876„,2042040 , „1939938 , 3828825 , „2909907 2807805 , „3879876„, 1786785 , „969969,, 4594590 , 
X y ~r X y -pJ' y ~r X y ~r X y -j- 

„1939938„,3573570 , „2909907,, 2552550 , „3879876„, 1531530 , „969969„,4339335 , „1939938 , 3318315 , 
Jb y ~Y' Jb y ~\~ jj y ~\~ Jb y ~|~ jb y ~t~ 

^2909907^^2297295 _|_ ^3879876 ^1276275 ^^969969^4084080 ^^1939938^3063060 _|_ ^2909907^2042040 ^ 

„3879876„, 1021020 , _969969„, 3828825 , „1939938 ,,2807805 , „2909907,, 1786785 , _3879876,, 765765 , 
Jb y ~Y' Jb y ~\~ Jb y ~\~ Jb y ~|~ Jj y ~\~ 

,,4594590 ,^969969,, 3573570 , ^1939938 ,,2552550 , „2909907 1531530 , „3879876,, 510510 , ,,4339335 , 
y ^x y -r X y -rX y -r x y -r y -f- 

„969969,, 3318315 , _1939938,, 2297295 , „2909907,, 1276275 , _3879876 ,,255255 , ,,4084080 , 
X y ~r X y -T X y -r x y > y i 

„969969,, 3063060 , „1939938,, 2042040 , _2909907,, 1021020 , „3879876 , ,,3828825 , „969969,, 2807805 , 

Jb y ~\~ Jj y ~r Jj y ~i~ Jb ~i~ y ~i~ jb y ~p 

„1939938,, 1786785 , „2909907,, 765765 , ,,3573570 , _969969,, 2552550 , „1939938, , 1531530 , 
X y -\- X y ~v y -r X y -r x y -t- 

„2909907„ 510510 , „ 3318315 , ^969969 2297295 , ^1939938 1276275 , 2909907, 255255 , 3063060 , 

X y +y +x y +x y +x y +y + 

„969969, 2042040 , ^1939938, 1021020 , ^2909907 , „ 2807805 , ^969969, 1786785 , ^1939938, 765765 , 

x y +x y +x +y +x y +x y + 

,,2552550 I „969969,, 1531530 , „1939938,, 510510 , ,,2297295 , „969969„1276275 , „1939938„255255 , 
y -r X y -r x y > y -r x y -r x y -t- 

2042040 I „969969,, 1021020 , „1939938 , ,,1786785 , ^969969, ,765765 , ,,1531530 , ^969969, ,510510 , 
y -r X y -r x -t- y -rx y -r y -rx y -f- 

,,1276275 I „969969,, 255255 , ,,1021020 , „969969 , ,,765765 , ,,510510 ^285285 _,_ ,,255255 , n 
y -t X y -t y -i- x -\- y -\- y x -t y 

and 

„4594590,, 285285 , „4339335,, 285285 _ „4594590 , _4084080,, 285285 _ _4339335 , _3828825,, 285285 _ 

Jj (J |~ Jj (J Jj | Jj (J Jj |~ Jj (J 

^4084080 _25 y3879876_|_^3573570y285285_^3828825_|_^3318315y285285_^3573570_|_^3063060j^285285_ 

^3318315 ,^2807805, ,285285 ^3063060 oi^ «,2909907, ^2552550, ,285285 ^2807805 ,^2297295, ,285285 
Jb ~\~jb y — Jb — AO y ~\~jb y — jj ~\~jb y — 

^2552550 ,^2042040, ,285285 ^2297295 , ^1786785, ,285285 ^2042040 or ,,1939938 ,^1531530, ,285285 

Jb ~\~ Jb y — Jb \~J-' y — Jb — y ~\~jb y — 

„1786785 I „1276275„285285 _ _1531530 , „1021020,, 285285 _ „1276275 , _765765„285285 _ _1021020 

J/ "p Jj y Jj ~Y' Jb y Jb ~|~ Jb y Jb 

25 2^969969 _|_ ^510510^285285 _ ^765765 _|_ ^255255^^285285 _ ^510510 _|_ ^285285 _ ^255255 _ 2g 

which respectively have degrees 8474466 and 4879875, and numbers of monomial 
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terms 96 and 42. We would like to determine whether F vanishes at a point (C, /i) 
where both C and ji are 4849845— roots of unity. 

Algorithm ] 5. 3\ tells us we can do so, with a controllably small error probability, 
by finding a random prime q of the form 4849845c + 1 and checking if the mod q re- 
duction of F has a root in {{1^/ q'L)*Y . Taking c = 22 yields the prime q = 106696591, 
and proceeding with this choice we see that the pair (75770298, 101629661) is just 
such a root. This indicates that F may indeed vanish at a pair of 4849845— roots 
of unity, and running Alaorithm \5.3\ r times would allow us to decide this with an 
error probability < by taking the answer that occupies the majority. (This ex- 
ample in fact vanishes at all (C, n) with C, and jj. primitive 95— roots of unity so, 
since 95 1 4849845, our putative answer is correct.) 

One could instead try to compute a Grobner basis for the ideal 
(/, g, a;4S49845 _ ;L^y4849845 _ rj,^^ resulting basis will then be {1} iff F does 
not vanish at any pair of 4849845— roots of unity. Trying one of the best Grobner 
basis engines ('Singular, version 3-0-2J, we are immediately thwarted: the maxi- 
mum allowed exponent size is 65536. Trying three smaller examples with respective 
total degrees 92114 and 65296 (and respective numbers of monomial terms 70 and 
40 j resulted in ' 'Out of memory' ' errors within about 14 minutes in all cases. 

On the other hand, while a brute-force implementation of Algorithm \ 5.3\ can 
run slowly, the corresponding Maple implementation has no memory problems for 
our examples here, o 

6. Is TorsionPoint NP-complete? 

We close this paper by observing a possible speed-up to our last algorithm: 
One could instead simply attempt to nondeterministically guess a small number of 
suitable primes (instead of randomly sampling a large set), and then check nonde- 
terministically whether one has torsion points modulo these primes. In particular, 
if the number of such "guessed" primes is polynomial in the input size, then it 
can be proved via the techniques of this paper that such an approach would yield 
TorsionPointeNP. 

However, it is not clear how to prove that a small enough number of primes 
can be used. In particular, our final example shows that one definitely needs to use 
at least 3 primes, already for one variable. 

Example 6.1. Taking 

f{xi) :=4 - ixf - 3a;P + Axf - a;f + Qxf + bxf - 2x\^^ + 3a;i05 
and d := 210, it can be checked via Maple 9.5 (within 2 hours, 13 minutes, and 
42.63 seconds) that f does not vanish at any d— root of unity. One would prefer 
to do this check modulo an intelligently chosen prime of the form 210c + 1 instead. 
However, there are exceptional primes which, using this approach, would cause one 
to falsely declare that f does vanish at a d— root of unity. In this case it easily 
checked that the exceptional primes are exactly the divisors of the resultant of f and 
2;2io _ which (up to sign) is 

2227699600874096872564585144832612236369963246002360338615319497424201747782488174224095731882015016718028 
and factors as 

(2)^(13)(29)(37){43)(61)(71)(1801)(108557)(659101)(69529066111)(261727038763)(20353321490154047885351)(449182807853883447737046/06077385 

In particular, we see that the 11— and 14— prime factors above are both congruent 

to 1 mod 210, and could thus lead to false ' 'YES' ' answers, o 
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It is interesting to note that Pascal Koiran has ah'eady given some evidence that 
it may be hard to prove that the more general problem FEASc is NP-complete. His 
evidence is based on the fact that FEASc contains a hard circuit-theoretic problem 
|Koi96l Sec. 6]. However, such a reduction does not appear to be known for 
TorsionPoint, so there may be more hope that TorsionPointe NP than FEASc G 
NP. 
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